A flaw was found in rubygem-actionview before versions 220.127.116.11 and 18.104.22.168. When an HTML-unsafe string is passed as the default for a missing translation key, the default string is incorrectly marked as HTML-safe and not escaped.
Created rubygem-actionview tracking bugs for this issue:
Affects: fedora-all [bug 1877568]
Technical information: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc?pli=1
Upstream patch: https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e
Red Hat CloudForms and Red Hat Satellite 6 ships affected ActiveView RubyGem, however, those are not vulnerable since product code do not use such unsafe implementation.